09/26/2018

What the NIST Small Business Cybersecurity Act Means for You

by David Wagner

The recent passage of the National Institute of Standards and Technology (NIST) Small Business Cybersecurity Act aims to provide guidance and structure to small businesses on the urgent and often uncertain issue of cybersecurity. Specific recommendations will not be available for another year, but the passage of the NIST Act is still a step in the right direction for the most vulnerable companies among us.

More than half of the victims of malware are small businesses, according to Verizon. Smaller enterprises are attacked frequently because their digital assets are still highly valuable, and those attacks are successful more often because small businesses typically lack the cybersecurity resources of larger companies. The NIST Act acknowledges this disadvantage and aims to make cybersecurity both more effective and more accessible for these businesses.

How Will the NIST Act Affect My Small Business?

It’s important to establish at the outset that this act is more about suggestion than prescription. It will establish guidelines and best practices for businesses to follow but won’t enforce them by law. Small businesses will be compelled to improve — not forced to adapt — and shouldn’t have to worry about their compliance burden ballooning overnight.

Understanding the limits of the act is important, because while it might not be an ironclad mandate, it’s also not a panacea. The cybersecurity struggles that so many businesses face will not go away simply because the act passed. With hackers becoming more motivated than ever, the speed and sophistication of attacks is likely to increase. The NIST is preparing to provide helpful guidance, but it’s ultimately up to every small business to take responsibility and allocate resources for their own cybersecurity.

Defending against newer and stronger attacks is one priority, but the cybersecurity landscape is growing in complexity, and not all the threats are coming from bad actors. For instance, the GDPR rules now in effect in Europe create sweeping requirements for data protection and levy stiff penalties for noncompliance. These rules may already affect domestic small businesses, and American regulators at the state and federal levels are likely to follow suit, as seen in California. Consequently, small businesses will have to manage cyber defense and compliance simultaneously. That figures to be a significant burden for small businesses.

How Can I Build on the NIST Act?

Regulators are doing their part to improve cybersecurity, but the urgency is on the small businesses being targeted and the tech companies developing the defenses. Together, those two parties are really on the front lines of the fight. Here are some tips for going beyond the framework of the NIST Act to ensure that cybersecurity is as strong as it needs to be.

Move to the Cloud: The threat and regulatory landscapes are changing all the time, meaning that older defenses quickly become inadequate. The cloud ensures that whatever protections and policies you have in place can evolve as quickly as they need to once things adapt. The burden of keeping things up-to-date falls onto the vendor instead of taxing the limited resources available at a small business.

Beware of Your Inbox: Hackers target small businesses using email, because it’s a ubiquitous communication tool as well as an easy and effective way to bypass defenses. Lots of threats attack the inbox, and relying on users to spot and avoid threats isn’t a safe bet. The only consistent solution is to implement email filtering that can identify and eliminate dangerous emails before they enter your network.

Encrypt the Outbound: Encrypting outbound emails is likely to be required in the near future, but until then, it’s already an important protection. Once information leaves the perimeter of your cyber defenses, it’s highly vulnerable to an attack. Encryption ensures that even if data is stolen, it can’t be exploited.

Vet Your Vendors: Lots of cybersecurity vendors sell tools, but small businesses are looking for solutions. They need vendors to provide expertise, oversight, and accessible technologies that work in concert to eliminate all kinds of cyber risk. Vetting vendors carefully reveals how well they understand the needs of small businesses and how prepared they are to meet them.

Government is working to address cyber threats, but it has a lot of catching up to do. In the meantime, small businesses cannot wait for solutions and support to come from the top down. Instead, small businesses should feel empowered to act on their own behalf and seek out the protections that are already overdue.